net-update verifcation checking is still insecure (aka gpg key shadowing, again)
Bug #1013639 reported by
Jamie Strandboge
This bug affects 2 people
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| apt (Ubuntu) |
Fix Released
|
Critical
|
Jamie Strandboge | ||
| Hardy |
Fix Released
|
Critical
|
Jamie Strandboge | ||
| Lucid |
Fix Released
|
Critical
|
Jamie Strandboge | ||
| Natty |
Fix Released
|
Critical
|
Jamie Strandboge | ||
| Oneiric |
Fix Released
|
Critical
|
Jamie Strandboge | ||
| Precise |
Fix Released
|
Critical
|
Jamie Strandboge | ||
| Quantal |
Fix Released
|
Critical
|
Jamie Strandboge | ||
Bug Description
This is related to but different than:
https:/
https:/
FYI:
http://
http://
The fix for both of the previous bugs was not enough. There is reportedly an active exploit utilizing the Ubuntu CD Image Automatic Signing Key.
| summary: |
- gpg key shadowing, again + net-update verifcation checking is still insecure (aka gpg key + shadowing, again) |
| Changed in apt (Ubuntu Lucid): | |
| status: | In Progress → Fix Committed |
| Changed in apt (Ubuntu Natty): | |
| status: | In Progress → Fix Committed |
| Changed in apt (Ubuntu Oneiric): | |
| status: | In Progress → Fix Committed |
| Changed in apt (Ubuntu Precise): | |
| status: | In Progress → Fix Committed |
| Changed in apt (Ubuntu Quantal): | |
| status: | In Progress → Fix Committed |
| Changed in apt (Ubuntu Hardy): | |
| status: | In Progress → Fix Committed |
To post a comment you must log in.

This has been assigned CVE-2012-0954.